Shape Defense
Keywords: adversarial robustness, adversarial defense, adversarial attack, shape, background subtraction
Abstract: Humans rely heavily on shape information to recognize objects. Conversely, convolutional
neural networks (CNNs) are biased more towards texture. This fact
is perhaps the main reason why CNNs are susceptible to adversarial examples.
Here, we explore how shape bias can be incorporated into CNNs to improve their
robustness. Two algorithms are proposed, based on the observation that edges are
invariant to moderate imperceptible perturbations. In the first one, a classifier is
adversarially trained on images with the edge map as an additional channel. At
inference time, the edge map is recomputed and concatenated to the image. In the
second algorithm, a conditional GAN is trained to translate the edge maps, from
clean and/or perturbed images, into clean images. The inference is done over the
generated image corresponding to the input’s edge map. A large number of experiments
with more than 10 data sets have proved the effectiveness of the proposed
algorithms against FGSM and `1 PGD-40 attacks. against FGSM and `$\ell_\infty$ PGD-40 attacks.
Further, we show that edge information can a) benefit other adversarial training methods, b) be even more effective
in conjunction with background subtraction, c) be used to defend against poisoning
attacks, and d) make CNNs more robust against natural image corruptions
such as motion blur, impulse noise, and JPEG compression, than CNNs trained
solely on RGB images. From a broader perspective, our study suggests that CNNs
do not adequately account for image structures and operations that are crucial for
robustness. The code is available at: https://github.com/[masked].
One-sentence Summary: Inspired by human vision, we propose two adversarial defense methods that utilize shape, and show that edge redetection makes models robust to adversarial attacks such as FGSM and PGD-40.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Community Implementations: [ 8 code implementations](https://www.catalyzex.com/paper/arxiv:2008.13336/code)
Reviewed Version (pdf): https://openreview.net/references/pdf?id=13KyqybEDB
24 Replies
Loading